Skip to main content


Items tagged with: github

Ich mache grosse Fortschritte bei der naechsten #Halcyon Version.Uploads mit Copy&Paste und Drag&Drop sind bereits eingebaut und funktionieren einwandfrei.Diese Funktion wollte ich schonmal einbauen und bin daran gescheitert.Vielleicht haette ich nicht auf #Github nach Codebeispielen,sondern ganz normal bei #MetaGer suchen sollen.Das hat mich dieses mal weiter gebracht.Bildbeschreibungen sind auch schon halb fertig.Fehlt nur noch,dass es wirklich an den Server gesendet wird.Wird morgen fertig.

I'm *really* not happy about the #Github #Sponsors project (
It'll bind a lot of open source project much more strongly to github's closed, proprietary ecosystem if that's where they have any chance of getting some money.

It's so hypocritical that soo many #FOSS projects are hosted on a non-free platform. With #Gitlab there's even a superior just as easy to use alternative there.

And most people are celebrating this move by github 😢.

Mich stoert das ja ziemlich stark,dass man fuer Follow Requests,die man jetzt in #Halcyon auch annehmen und ablehnen kann,keine Benachrichtigungen im Browser angezeigt bekommt,sondern nur per Mail,weil das die API einfach nicht hergibt.Gibt auch ein #Mastodon #Github Issue dazu,aber das ist schon seit Jahren offen ohne richtige Loesung,also werde ich das wohl einfach so hinnehmen muessen.

#TorrentFreak #CopyRight #Mafia #MeetTheAbsurd #HDMI #GitHub
“Confidential” HDMI Specifications Docs Hit With DMCA Takedown

A hacker is wiping Git repositories and asking for a ransom | ZDNet

The deletion etc does not make any sense. Usually you have a local copy as git is a distributed source control version system.
But the treat could be relevant for private repositories

#git #github #gitlab

A hacker is wiping Git repositories and asking for a ransom | ZDNet

The deletion etc does not make any sense. Usually you have a local copy as git is a distributed source control version system.
But the treat could be relevant for private repositories

#git #github #gitlab


Apache hooks up with GitHub | ZDNet

A lot of people are whining but forget that it's very simple to switch a git repo to a new host.
They used github, cause the tooling support is much better. And why not?

#Apache #Github #Microsoft

Softwareentwicklung: Docker-Hub-Hack kompromittiert Daten von 190.000 Nutzern -
#Docker #Datensicherheit #Github #Hacker #Sicherheitslücke #Applikationen #Security #Softwareentwicklung

@z428 @herrdoering @manyver_se @favstarmafia

Ich mein, was man eigentlich möchte ist ein #OpenSource basierende Lösung für #WhatsApp #Facebook #twitter #github #google ...

Hinter all dem steckt eine Firma mit riesigen Resourcen um diese Dienste alle zu betreiben. Das ganze funktioniert "kostenlos" auf Kommerzieller Basis, weil dort soviel Geld gemacht wird.

Das mit einer #freien Lösung zu ersetzten wird nicht einfach sein, weil man im Grunde ähnlich viel resourcen braucht. Woher nehmen?

Looks like the #GitHub "abuse" team "cleaned out" the #matrixnotorg account and "cleaned up" the #security issues..

Good exists.

GitHub, you #failed.


GitHub issues of pieced together as one "story":

I noticed in your blog post that you were talking about doing a postmortem and steps you need to take. As someone who is intimately familiar with your entire infrastructure, I thought I could help you out.
Complete compromise could have been avoided if developers were prohibited from using ForwardAgent yes or not using -A in their SSH commands. The flaws with agent forwarding are well documented.
Escalation could have been avoided if developers only had the access they absolutely required and did not have root access to all of the servers. I would like to take a moment to thank whichever developer forwarded their agent to Flywheel. Without you, none of this would have been possible.
Once I was in the network, a copy of your wiki really helped me out and I found that someone was forwarding 22226 to Flywheel. With jenkins access, this allowed me to add my own key to the host and make myself at home. There appeared to be no legitimate reason for this port forward, especially since jenkinstunnel was being used to establish the communication between Themis and Flywheel.
I was able to login to all servers via an internet address. There should be no good reason to have your management ports exposed to the entire internet. Consider restricting access to production to either a vpn or a bastion host.
On each host, I tried to avoid writing directly to authorized_keys, because after a thorough peak at matrix-ansible-private I realized that access could have been removed any time an employee added a new key or did something else to redeploy users. But sshd_config allowed me to keep keys in authorized_keys2 and not have to worry about ansible locking me out.
The internal-config repository contained sensitive data, and the whole repository was often cloned onto hosts and left there for long periods of time, even if most of the configs were not used on that host. Hosts should only have the configs necessary for them to function, and nothing else.
Kudos on using Passbolt. Things could have gotten real messy, otherwise.
Let's face it, I'm not a very sophisticated attacker. There was no crazy malware or rootkits. It was ssh agent forwarding and authorized_keys2, through and through. Well okay, and that jenkins 0ld-day. This could have been detected by better monitoring of log files and alerting on anomalous behavior. Compromise began well over a month ago, consider deploying an elastic stack and collecting logs centrally for your production environment.
There I was, just going about my business, looking for ways I could get higher levels of access and explore your network more, when I stumbled across GPG keys that were used for signing your debian packages. It gave me many nefarious ideas. I would recommend that you don't keep any signing keys on production hosts, and instead do all of your signing in a secure environment.
You thought there were 8, but now there are 9 (that's right, I see you watching me, I'm watching you, too). This is the last one, and I think it's the best advice I've got for you.
2FA is often touted as one of the best steps you can take for securing your servers, and for good reason! If you'd deployed google's free authenticator module (sudo apt install libpam-google-authenticator), I would have never been able to ssh into any of those servers.
Alternatively, for extra security, you could require yubikeys to access production infrastructure. Yubikeys are cool. Just make sure you don't leave it plugged in all the time, your hardware token doesn't do as much for you when it's always plugged in and ready for me to use.
Alternate-Alternatively, if you had used a 2FA solution like Duo, you could have gotten a push notification the first time I tried to ssh to any of your hosts, and you would have caught me on day one. I'm sure you can setup push notifications for watching google-authenticator attempts as well, which could have at least given you a heads up that something fishy was going on.
Anyways, that's all for now. I hope this series of issues has given you some good ideas for how to prevent this level of compromise in the future. Security doesn't work retroactively, but I believe in you and I think you'll come back from this even stronger than before.
Or at least, I hope so -- My own information is in this user table... jk, I use EFNet.
#matrix-protocol #matrix #github

Is it native as in using the D* API or a web-client?

I was trying to make an #easy-share-option for Android/D* a while back but discovered that at the time, the only part of the #API which was implemented was the #OAuth2 / #OpenID login.

I did start to implement parts of the API to achieve my goal (sloppily, and in PHP ;) ) but got sidetracked into trying to find out what the state of the D* API was at the time (ie nonexistent) so let it slide.

Maybe I'll chuck the code up on my #github at some point. #diaspora #client #native



#software #torrent-search #p2p #dht #npm #github



#software #torrent-search #p2p #dht #npm #github